EV charging infrastructure is seriously unsafe • The Register

If you’ve noticed car charging stations popping up near you, congratulations! They’re part of a growing web of systems so poorly secured they could one day be used to destabilize entire power grids, and contain enough security issues to be problematic today.

That’s the conclusion scientists at Sandia National Laboratory in Albuquerque, New Mexico came to after four years of investigating proven exploits and publicly disclosed vulnerabilities in electric vehicle supply equipment (EVSE) and conducting their own tests on 10 types of EV charger colleagues from the Idaho National Lab.

“Can the power grid be affected by charging stations for electric vehicles? Absolutely,” said Brian Wright of Sandia, a cybersecurity expert who worked on the project. “It’s in the realm of what villains could and would do in the next 10 to 15 years. That’s why we have to be one step ahead in solving these problems,” Wright said.

Hey, I recognize this vulnerability!

However, there are now many attacks that criminals could exploit right now, and researchers are already doing so. Unfortunately, it’s a grab bag of the same old problems we’ve seen in other tech sectors for years.

“There have been multiple demonstrations of credential stealing or charging manipulation over the EV-to-EVSE link,” the researchers said in their article. In one case, the researchers were able to spot and interrupt the charging process from a distance of 47 meters “on all seven vehicles and 18 EVSEs they examined” using a software-defined radio with less than 1 W of power.

RFID cloning is currently possible in early-generation EVSE infrastructure, which could result in thieves being charged with someone else’s debit or credit card. Some iOS and Android apps used to manage charging sessions “could also be easily reverse engineered to reveal vulnerabilities in EVSE management and vendor cloud interfaces,” the researchers said.

EVSE web interfaces have problems that are easy to guess: they often use insecure web services that can be accessed from a local smartphone or computer, while chargers from multiple manufacturers can be found on the public internet. Vulnerabilities in web services used by chargers could allow an attacker to change configuration data or push malicious firmware updates, the report said.

The communication between chargers and cloud services also contained a number of problems, such as B. the lack of proper authentication methods, lack of sanitization of input fields, and even vulnerability to supply chain attacks as manufacturers maintained a remote backdoor access.

Hardware vulnerabilities included a variety of outdated Linux kernels running superfluous services that could be accessed via exposed USB ports that would allow an attacker to upload malicious firmware. Some Raspberry Pi chargers have even been found to operate without secure bootloaders.

Oh, and since we’re going for all security bugs, the team naturally found numerous hard-coded credentials, unsalted hashed passwords, and other cryptographic no-nos.

Thats not cool

What did we learn? That the EV charging industry has treated cybersecurity the same way the companies behind the Internet of Things have treated it: as an afterthought.

Jay Johnson, the electrical engineer at Sandia behind the project, said he hopes his team’s findings would serve as a basis for understanding the current state of the industry, which is critical to fixing the problem.

“By conducting this survey of EV charger vulnerabilities, we can prioritize recommendations to policymakers and inform them of what safety improvements are needed by the industry,” he explained.

“The government can say ‘produce safe electric vehicle chargers’, but budget-minded companies don’t always go for the most cyber-secure implementations. Instead, the government can support the industry directly by providing fixes, advice, standards and best practices,” Wright added.

No wonder, but Sandia recommends some basic cyber hygiene, like removing services you don’t need, updating software, locking down physical ports, and using the right encryption.

The team also suggested implementing better methods of authenticating EV owners, such as [PDF] Suggestions.

Johnson’s team isn’t done yet and has received follow-on funding to fill some of the gaps it found alongside the Idaho and Pacific Northwest National labs. Together, the three are working on developing a system for EV chargers that uses new methods to protect public infrastructure from good-for-nothings.

But until the government steps in with some regulations, Johnson said things will not improve.

Many EVSE manufacturers, Johnson said The registry, “trying desperately to keep up with demand.” While regulations were debated, Johnson said they were unlikely to appear for at least a year. Note that this applies in the US; The UK has already proposed regulations for EV chargers that will come into force next year.

While some vendors have improved their security, Johnson said those companies are at a disadvantage compared to those that get products to market quickly. “Until there is regulation that creates a level playing field, market trends will favor insecure systems,” Johnson said. ®